Unusualy active firewall?

[kkubasik]

I was recently having issues with some programs and decided to put my Linux box in a DMZ, and as a result, bypassed all the normal firewalling functions of my router/nat. I installed iptables and a graphical frontend for it 'firestarter'. My outgoing rules are permissive with only blacklist traffic, and my incoming rules drop all except for the ports specified (22,25, 80,110 for the moment). The primary reason I installed the graphical frontend was for its system tray notification feature. As a result I have noticed upd connections (generaly on or around ports 1024-1026, but all over) from a multitude of IP's several times a minute. I host a site on the machine, but its just a personal blog and rarely sees more that 25 uniqe IP's a day. I can provide the actual logs should someone want to see them, but i was wondering: is this much traffic normal? My guess is that some forwarding feature on my router is sending information to different ports then they originate at, but something like that seems to be ineffective.

any experiances that might help?

(the router is a D-link should that make a difference)

[Dolda2000]

Yes, it's normal. There are millions of worm infected zombie boxes on the Internet that probes computers for presence and vulnerabilities all the time. I use to get a couple of hundred break-in attempts per day on HTTP only. I don't even monitor attempted TCP connections, but I'd say it's a safe bet that they are many.

[dwflo]

I noticed many attempts, one about every thirty seconds, or maybe less. Most are directed to ports 1026-UDP and 1027-UDP. Occasionally they attempt ports 1434-TCP/HTTPS, 22-TCP, 1433-TCP/Ms-sql-s. Also get unknown ports-ICMP. Most are from the same IPs, must have bots running all the time. I get many from my own ISP, but most come from China.
I have no idea what these are, but I do know they do not get through.

Dave